CVE-2024-53582

HIGH

OpenPanel 0.3.4 - Path Traversal via File Manager Copy and View Functions

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-53582. PoCs published by Korn Chaisuwan_ Charanin Thongudom_ Pongtorn Angsuchotmetee.

AI-analyzed exploit summary This exploit demonstrates a directory traversal vulnerability in OpenPanel's File Manager 0.3.4 via the `view_file` endpoint. By manipulating the `filename` and `path_param` parameters, an attacker can access arbitrary files outside the intended directory, such as `/etc/shadow`.

Description

An issue found in the Copy and View functions in the File Manager component of OpenPanel v0.3.4 allows attackers to execute a directory traversal via a crafted HTTP request.

Exploits (2)

exploitdb WORKING POC

by Korn Chaisuwan_ Charanin Thongudom_ Pongtorn Angsuchotmetee · textwebappsmultiple

https://www.exploit-db.com/exploits/52198

View Code ZIP pw:eip

This exploit demonstrates a directory traversal vulnerability in OpenPanel's File Manager 0.3.4 via the `view_file` endpoint. By manipulating the `filename` and `path_param` parameters, an attacker can access arbitrary files outside the intended directory, such as `/etc/shadow`.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: OpenPanel File Manager 0.3.4

Auth required

Prerequisites: Valid session cookie · Access to the vulnerable endpoint

MITRE ATT&CK

T1006 - Direct Volume Access T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Korn Chaisuwan_ Charanin Thongudom_ Pongtorn Angsuchotmetee · textwebappsmultiple

https://www.exploit-db.com/exploits/52196

View Code ZIP pw:eip

This exploit demonstrates an incorrect access control vulnerability in OpenPanel 0.3.4, allowing unauthorized directory traversal via a crafted HTTP GET request. The request bypasses access controls to traverse directories using '../..' in the path.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: OpenPanel 0.3.4

Auth required

Prerequisites: Valid session cookie · Network access to the target

MITRE ATT&CK

T1083 - File and Directory Discovery T1021 - Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Broken Link

https://openpanel.com/docs/changelog/0.3.5/#%EF%B8%8F-security-fixes

Exploit

https://packetstorm.news/files/id/188913/

Scores

CVSS v3 7.5

EPSS 0.0810

EPSS Percentile 92.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (1)

openpanel/openpanel 0.3.4

Published Jan 31, 2025

Tracked Since Feb 18, 2026